Health Data Breach Tally Spikes; AMCA Breach Reports AddedTotal Number of Individuals Affected by Breaches Reported in 2019 Triples
The federal tally of major health data breaches has spiked over the last month, mostly because of the American Medical Collection Agency incident, which led to nearly two dozen breach reports from the firm's affected clients.
As of Thursday, the Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool website showed that the number of individuals affected by breaches added to the tally so far this year has tripled to nearly 33 million since Aug. 5, when Information Security Media Group offered a snapshot assessment.
Commonly called the "wall of shame," the federal tally lists health data breaches affecting 500 or more individuals.
AMCA Breach Impact
As of Thursday, breach reports from at least 22 AMCA clients were posted on the HHS website, affecting a total of nearly 26 million individuals.
So far in 2019, 332 breaches affecting 37.5 million individuals have been added to the HHS tally. That means nearly 70 percent of the individuals affected by those breaches were victims of the AMCA incident, which was first disclosed by the New York-based debt collections agency in June.
The federal tally shows that the AMCA incident - when all the victim's reports are included - is the second largest breach reported to HHS. The biggest breach is the 2014 cyberattack on health insurer Anthem Inc., which affected nearly 79 million individuals.
As of Thursday, a total of 2,887 breaches affecting a total of nearly 229 million individuals have been posted to the federal tally since its inception in 2009.
10 Largest Health Data Breaches Reported So Far in 2019
|Breached Entity||Individuals Affected|
|*Optum360 (on behalf of Quest Diagnostics)||11.5 million|
|Dominion National||3.0 million|
|*Clinical Pathology Laboratories||1.7 million|
|Inmediata Health Group||1.6 million|
|Bayamon Medical Center||423,000|
|*American Esoteric Laboratories||410,000|
Of the 10 largest breaches reported so far in 2019, six were reported by AMCA victims.
Some 205 of the 332 breaches posted to the federal tally in 2019 so far were reported as "hacking/IT incidents" impacting nearly 33 million individuals.
But at least a few of the largest breaches reported as "hacking/IT incidents" did not involve cyberattacks, but rather misconfigured IT settings. That includes a breach impacting about 973,000 individuals reported in February by Seattle-based UW Medicine.
Also, an incident reported as an "unauthorized access/disclosure" breach by Puerto Rico-based Inmediata Health Group also actually involved a misconfigured IT setting that left protected health information of nearly 1.6 million individuals exposed on the internet.
A Need for Clearer Reporting?
Susan Lucci, senior privacy and security consultant at tw-Security, notes that statistics drawn from the HHS breach website can be foggy because of the way entities report their breaches to HHS.
"One thing I think is important, if we are to learn statistically from these events, is some clarification on the right category for covered entities to use when posting breach information," she notes.
"For example, is an event that begins in email an email event, or is it unauthorized disclosure, or hacking? What about ransomware, where the intruders access a system through a fatal click, but then use hacking methodologies to further exploit the system? In other words, is the initiation of the data breach the 'cause' of the breach, or is it the event itself? Some covered entities may be unsure of the correct category to choose."
Good News, Bad News
While large breaches involving hacking incidents continue to soar, the one positive development coming from the federal tally update is the relatively few large breaches involving lost or stolen unencrypted computing or storage devices, as compared to years past.
So far in 2019, 23 such incidents impacting about 195,300 individuals have been posted to the federal tally, representing less than 5 percent of all individuals affected by major health data breaches this year.
On the other hand, business associates and other vendors have been culprits in some of the biggest health data breaches so far this year, most notably the AMCA incident.
Covered entities can take steps to push their business associates to improve their security postures, Lucci notes. That includes making sure that BAs "ensure that they are updating their compliance program in every area," she says.
"When was the last time they updated their security risk analyses? If they aren't reviewing policies, procedures and practices at least annually, they may find what they have in place is outdated and has not kept up with the organization's growth and potential new systems."
The surge in hacking incidents in the healthcare sector will continue unless strong action is taken, Lucci argues.
"Phishing emails could often introduce cybercriminal activity into a network that remains undetected for a long period of time," she says. "This is why it is critical to ensure the workforce is aware of many common email subject lines that are being used. ... Attention getters are 'inbox over size limit,' 'survey request,' 'urgent,' 'follow-up,' and 'PTO balance exceeded'," she says.
"Recently, we have seen survey requests that look authentic that appear to be sent from a corporate executive, so these specific types of examples should be shared," she notes.